Meet “badBIOS,” the mysterious Mac and PC malware that jumps airgaps

Like a super strain of bacteria, the rootkit plaguing Dragos Ruiu is omnipotent.

Three years ago, security consultant Dragos Ruiu was in his lab when he noticed something highly unusual: his MacBook Air, on which he had just installed a fresh copy of OS X, spontaneously updated the firmware that helps it boot. Stranger still, when Ruiu then tried to boot the machine off a CD ROM, it refused. He also found that the machine could delete data and undo configuration changes with no prompting. He didn't know it then, but that odd firmware update would become a high-stakes malware mystery that would consume most of his waking hours.

In the following months, Ruiu observed more odd phenomena that seemed straight out of a science-fiction thriller. A computer running the Open BSD operating system also began to modify its settings and delete its data without explanation or prompting. His network transmitted data specific to the Internet's next-generation IPv6 networking protocol, even from computers that were supposed to have IPv6 completely disabled. Strangest of all was the ability of infected machines to transmit small amounts of network data with other infected machines even when their power cords and Ethernet cables were unplugged and their Wi-Fi and Bluetooth cards were removed. Further investigation soon showed that the list of affected operating systems also included multiple variants of Windows and Linux.

"We were like, 'Okay, we're totally owned,'" Ruiu told Ars. "'We have to erase all our systems and start from scratch,' which we did. It was a very painful exercise. I've been suspicious of stuff around here ever since."

In the intervening three years, Ruiu said, the infections have persisted, almost like a strain of bacteria that's able to survive extreme antibiotic therapies. Within hours or weeks of wiping an infected computer clean, the odd behavior would return. The most visible sign of contamination is a machine's inability to boot off a CD, but other, more subtle behaviors can be observed when using tools such as Process Monitor, which is designed for troubleshooting and forensic investigations.

Another intriguing characteristic: in addition to jumping "airgaps" designed to isolate infected or sensitive machines from all other networked computers, the malware seems to have self-healing capabilities.

"We had an air-gapped computer that just had its [firmware] BIOS reflashed, a fresh disk drive installed, and zero data on it, installed from a Windows system CD," Ruiu said. "At one point, we were editing some of the components and our registry editor got disabled. It was like: wait a minute, how can that happen? How can the machine react and attack the software that we're using to attack it? This is an air-gapped machine and all of a sudden the search function in the registry editor stopped working when we were using it to search for their keys."

Over the past two weeks, Ruiu has taken to Twitter, Facebook, and Google Plus to document his investigative odyssey and share a theory that has captured the attention of some of the world's foremost security experts. The malware, Ruiu believes, is transmitted though USB drives to infect the lowest levels of computer hardware. With the ability to target a computer's Basic Input/Output System (BIOS), Unified Extensible Firmware Interface (UEFI), and possibly other firmware standards, the malware can attack a wide variety of platforms, escape common forms of detection, and survive most attempts to eradicate it.

But the story gets stranger still. In posts here, here, and here, Ruiu posited another theory that sounds like something from the screenplay of a post-apocalyptic movie: "badBIOS," as Ruiu dubbed the malware, has the ability to use high-frequency transmissions passed between computer speakers and microphones to bridge airgaps.

Bigfoot in the age of the advanced persistent threat

At times as I've reported this story, its outline has struck me as the stuff of urban legend, the advanced persistent threat equivalent of a Bigfoot sighting. Indeed, Ruiu has conceded that while several fellow security experts have assisted his investigation, none has peer reviewed his process or the tentative findings that he's beginning to draw. (A compilation of Ruiu's observations is here.)

Also unexplained is why Ruiu would be on the receiving end of such an advanced and exotic attack. As a security professional, the organizer of the internationally renowned CanSecWest and PacSec conferences, and the founder of the Pwn2Own hacking competition, he is no doubt an attractive target to state-sponsored spies and financially motivated hackers. But he's no more attractive a target than hundreds or thousands of his peers, who have so far not reported the kind of odd phenomena that has afflicted Ruiu's computers and networks.

In contrast to the skepticism that's common in the security and hacking cultures, Ruiu's peers have mostly responded with deep-seated concern and even fascination to his dispatches about badBIOS.

"Everybody in security needs to follow @dragosr and watch his analysis of #badBIOS," Alex Stamos, one of the more trusted and sober security researchers, wrote in a tweet last week. Jeff Moss—the founder of the Defcon and Blackhat security conferences who in 2009 began advising Department of Homeland Security Secretary Janet Napolitano on matters of computer security—retweeted the statement and added: "No joke it's really serious." Plenty of others agree.

"Dragos is definitely one of the good reliable guys, and I have never ever even remotely thought him dishonest," security researcher Arrigo Triulzi told Ars. "Nothing of what he describes is science fiction taken individually, but we have not seen it in the wild ever."

Been there, done that

Triulzi said he's seen plenty of firmware-targeting malware in the laboratory. A client of his once infected the UEFI-based BIOS of his Mac laptop as part of an experiment. Five years ago, Triulzi himself developed proof-of-concept malware that stealthily infected the network interface controllers that sit on a computer motherboard and provide the Ethernet jack that connects the machine to a network. His research built off of work by John Heasman that demonstrated how to plant hard-to-detect malware known as a rootkit in a computer's peripheral component interconnect, the Intel-developed connection that attaches hardware devices to a CPU.

It's also possible to use high-frequency sounds broadcast over speakers to send network packets. Early networking standards used the technique, said security expert Rob Graham. Ultrasonic-based networking is also the subject of a great deal of research, including this project by scientists at MIT.

"Really, everything Dragos reports is something that's easily within the capabilities of a lot of people," said Graham, who is CEO of penetration testing firm Errata Security. "I could, if I spent a year, write a BIOS that does everything Dragos said badBIOS is doing. To communicate over ultrahigh frequency sound waves between computers is really, really easy."

Eureka

For most of the three years that Ruiu has been wrestling with badBIOS, its infection mechanism remained a mystery. A month or two ago, after buying a new computer, he noticed that it was almost immediately infected as soon as he plugged one of his USB drives into it. He soon theorized that infected computers have the ability to contaminate USB devices and vice versa.

"The suspicion right now is there's some kind of buffer overflow in the way the BIOS is reading the drive itself, and they're reprogramming the flash controller to overflow the BIOS and then adding a section to the BIOS table," he explained.

He still doesn't know if a USB stick was the initial infection trigger for his MacBook Air three years ago, or if the USB devices were infected only after they came into contact with his compromised machines, which he said now number between one and two dozen. He said he has been able to identify a variety of USB sticks that infect any computer they are plugged into. At next month's PacSec conference, Ruiu said he plans to get access to expensive USB analysis hardware that he hopes will provide new clues behind the infection mechanism.

He said he suspects badBIOS is only the initial module of a multi-staged payload that has the ability to infect the Windows, Mac OS X, BSD, and Linux operating systems.

"It's going out over the network to get something or it's going out to the USB key that it was infected from," he theorized. "That's also the conjecture of why it's not booting CDs. It's trying to keep its claws, as it were, on the machine. It doesn't want you to boot another OS it might not have code for."

To put it another way, he said, badBIOS "is the tip of the warhead, as it were."

“Things kept getting fixed”

Ruiu said he arrived at the theory about badBIOS's high-frequency networking capability after observing encrypted data packets being sent to and from an infected laptop that had no obvious network connection with—but was in close proximity to—another badBIOS-infected computer. The packets were transmitted even when the laptop had its Wi-Fi and Bluetooth cards removed. Ruiu also disconnected the machine's power cord so it ran only on battery to rule out the possibility that it was receiving signals over the electrical connection. Even then, forensic tools showed the packets continued to flow over the airgapped machine. Then, when Ruiu removed the internal speaker and microphone connected to the airgapped machine, the packets suddenly stopped.

With the speakers and mic intact, Ruiu said, the isolated computer seemed to be using the high-frequency connection to maintain the integrity of the badBIOS infection as he worked to dismantle software components the malware relied on.

"The airgapped machine is acting like it's connected to the Internet," he said. "Most of the problems we were having is we were slightly disabling bits of the components of the system. It would not let us disable some things. Things kept getting fixed automatically as soon as we tried to break them. It was weird."

It's too early to say with confidence that what Ruiu has been observing is a USB-transmitted rootkit that can burrow into a computer's lowest levels and use it as a jumping off point to infect a variety of operating systems with malware that can't be detected. It's even harder to know for sure that infected systems are using high-frequency sounds to communicate with isolated machines. But after almost two weeks of online discussion, no one has been able to rule out these troubling scenarios, either.

"It looks like the state of the art in intrusion stuff is a lot more advanced than we assumed it was," Ruiu concluded in an interview. "The take-away from this is a lot of our forensic procedures are weak when faced with challenges like this. A lot of companies have to take a lot more care when they use forensic data if they're faced with sophisticated attackers."

Promoted Comments

It's not a Halloween hoax Dan made up. @dragosr has been tweeting about this for weeks.

If it were someone less well known in the industry, I'd be more inclined to think it was a hoax, but I think he has stuck with the story too long for it to be a knowing hoax when his career is so dependent on reputation.

How can that machine be attacked by the high-frequency transmissions coming from an infected machine? That's impossible. They had to put in a USB stick into that machine at one point and it got infected.

Yeah, I'm not sure why that didn't occur to him earlier. If a machine is disconnected from everything else and you use one of your USB drives to do a fresh install... Gee, where do you think the viruses came from?

Assuming this is real, it must have taken a tremendous amount of effort to create, and all that effort is now going to waste as they (for some reason, probably accidentally) infected a security researcher. This is an entirely new attack vector; it would have been intended to be used sparingly on major targets only. Someone got fired over that huuuge mistake.

Interestingly, this exposes a seldom-discussed downside of using an Apple computer. Their product line is extremely small, which means that hardware-specific attacks and firmware attacks like BIOS rewrites are much easier to do.

Several people have said that they don't believe a machine can become infected from its microphone. To repeat what Gracana said, that wasn't claimed. The claim is that infected machines whisper to one another using ultrasound. Somehow this fixes bits of the malware as it is being attacked.

Even if the machine being repaired is tethered to the Internet via ultrasound, would the mothership really have the bandwidth to "telnet in" and make repairs?

As a journalist for more than 17 years, I have never written a spoof story for April Fool's Day or any other holiday. I certainly had no intention of doing so with this article. It's completely coincidental that this story ran today, on Halloween.

The ninth paragraph of my article reads:

Quote:

At times as I've reported this story, its outline has struck me as the stuff of urban legend, the advanced persistent threat equivalent of a Bigfoot sighting. Indeed, Ruiu has conceded that while several fellow security experts have assisted his investigation, none has peer reviewed his process or the tentative findings that he's beginning to draw.

Here and elsewhere in the post, I have tried to make clear that many of the details of this article sounded far-fetched to me. They still do. I have also tried to be transparent that no one has independently corroborated Ruiu's findings. That said, these same details have been publicly available for more than two weeks, and a large number of Ruiu's peers find them believable.

I decided to resolve this conflict between my own skepticism and the reaction of Ruiu's fellow security researchers by reporting accurately what all of them said and making clear that so far no one has peer reviewed Ruiu's research process or findings.

I have no doubt that researchers will pore over every laptop and USB drive Ruiu makes available and independently arrive at their own conclusions. I fully intend to report whatever they find. If they find no evidence to support Ruiu's account, Ars readers will be among the first to know.

How can that machine be attacked by the high-frequency transmissions coming from an infected machine? That's impossible. They had to put in a USB stick into that machine at one point and it got infected.

Yeah, I'm not sure why that didn't occur to him earlier. If a machine is disconnected from everything else and you use one of your USB drives to do a fresh install... Gee, where do you think the viruses came from?

However, that doesn't even begin to explain how an uninfected computer starts listening for and decoding microphone data, without a substantial DSP program.

Right, I don't think that was ever claimed, it was just noticed that infected machines networked somehow.

What they are saying is that attempts to air gap a machine were not successful. Removing network, wireless, bluetooth and power were not enough to stop encrypted packets from making it to the machine. Note, removing the power from a laptop means that it will continue working but will prevent signals from being sent through the power lines. It does require a second infected machine to be present.From the are article:

Quote:

observing encrypted data packets being sent to and from an infected laptop that had no obvious network connection with—but was in close proximity to—another badBIOS-infected computer. The packets were transmitted even when the laptop had its Wi-Fi and Bluetooth cards removed. Ruiu also disconnected the machine's power cord so it ran only on battery to rule out the possibility it was receiving signals over the electrical connection.

This is a bit unclear. How can that machine be attacked by the high-frequency transmissions coming from an infected machine? That's impossible. They had to put in a USB stick into that machine at one point and it got infected. I'm not sure how different is it than inserting an infected floppy disk back in the day. Air gapped or not, once you put some other media into it all bets are off.

The REALLY scary part is that it is extremely difficult to be sure that your hardware wasn't just waiting for that signal since it was manufactured.

Actually, the folks who think they can tell one way or another are probably in denial. Unless you know the guy or are in the industry pretty deep, I don't see how any information available anywhere could settle whether this is a hoax or not.

Anyone who relies on "why would they lie?!" as reasoning for why something is not a hoax is pretty credulous. People in much more stuffy positions have regurgitated stories for (positive, negative, who cares?) attention and torpedoed their credibility.

Antenna for what? Where's the transmitter? Where's the receiver? What's the carrier, and what's being modulated? Wireless is a heckuva lot more complex.

Although I'm pretty much null regarding electronic side of software if this malware turns up to be true it sort of broads the concept of what is possible. Now if we consider the magnitud of the NSA espionage it could be possible that the government demanded hardware companies to install certain backdoors or routines into the firmware and this malware is just using it.

I feel compelled to comment after noticing a trend in the prior comments. Many folks are making arguments that the story is 1.) true because it's possible or 2.) false because it's not possible. As a few people have pointed out, and I would like to re-iterate, individual aspects of this story are certainly possible (networking using sound waves, etc.), but suspicion is raised based on how the parts of the story fit together.

The reason that I'm writing is that I want to remind Dan and his editors that Ars' reputation could take a hit if Ars is found to have been 1.) duped or 2.) deliberately deceptive. If anyone is surprised at how seriously Ars' readers are taking this, it is a testament to Ars' reputation and good-will among its readers. These are assets that should not be taken for granted or exploited for a joke.

There are 2 possibilities here

1. The story is legitimate.2. The story is not legitimate.

If the story is legitimate, I trust Dan and Ars will continue to follow up and keep us in the know.

If the story is not legitimate, there are two more possibilities.

1. Dan is deliberately fooling us, picking up on a story he knows to be false and amplifying it.2. Dan has been duped, having picked up a story he thought to be legitimate and validating the hoax with Ars' own good name.

If the story is not legitimate, and Dan is in on the joke, it needs to stop now. As noted previously, April Fools' Day pranks are one thing, but putting a serious publication's reputation on the line by deliberately reporting a falsehood, no matter how creative, is intolerable. Ars is one of the very best sources of science and technology news; many reputable journalists and institutions pick up stories from Ars and broadcast them with little hesitation or compunction.

If the story is not legitimate and Dan is not in on the joke, we need to know what the motivation for the hoax is (personally, I thought crowd-sourced research proposed earlier was an interesting, if far-fetched, hypothesis).

I've been on the inter-tubes for twenty years and this is the first time I've ever bothered to write a comment anywhere. Dan, I implore you to issue a brief comment that verifies that you are reporting this story in earnest or are looking further into its veracity.

It's not a Halloween hoax Dan made up. @dragosr has been tweeting about this for weeks.

If it were someone less well known in the industry, I'd be more inclined to think it was a hoax, but I think he has stuck with the story too long for it to be a knowing hoax when his career is so dependent on reputation.

... and hoaxers are incapable of building up to their grand scheme over months and years and even decades. Right. It's happened before.

No, this is too crazy and the publication date of this story is too convenient. I suppose it's possible but I just can't buy it yet.

Well, of course the story has all the hallmarks of foolish people who think they have seen ghosts, etc.Bulwer-Lytton quality writing. Spookiness. Note that Ars' own Dr. Pizza tweeted yesterday a link to a news story wherein a woman photographed the “soul” of a blown-over tree escaping—to tree heaven, we are meant to assume. With special mention of the fact that the woman was a science teacher, somebody who you'd think would know better. That sort of stuff makes the rounds, all right.

But I can't see why anybody needs to make decisions on this story. There's no indication that the malevolent daemon with its magical force-field has escaped Mr. Ruiu's lab into the wild. Nor is there anything that anybody knows how to do about it, if it were to. Damn little actual evidence of ANYTHING verifiable at all, in fact — what should I, as a concerned Ars reader do — what should anybody charged with security do?

Maybe some kind of pseudo-white-noise, chirp, or other really, really slow networking would be possible between already-infected PCs via audio, without attracting the attention of the users. Even easier, audio steganography, but that requires the PCs to be playing something anyway.

But you're not getting ultrasonics out of a laptop mic and speaker. You're not even getting ultrasonics out of professional microphones. And a good number of desktops don't have mics or speakers.

While all of this is theoretically possible, it seems a little strange to me that someone who is a security professional and who has come up with some fairly obscure theories for how these things are happening hasn't done better work on experimentally isolating and recording data related to this.

Various people have mentioned retrieving and analyzing the bios/firmware. Even if the system is completely inoperable, this can still be done with a reader (and even if the bios is soldered on, with a little more work).

If the suspected route of infection is USB, why not just hook up a USB development unit like a facedancer, emulate a usb drive, and see what gets sent? Much cheaper than a USB analysis kit... and even those aren't so expensive anymore as to make sense of why a security professional would wait on using someone else's.

If ultra sonic audio networking is actually being used, then it should be something that could be recorded and analyzed. If you can't record it via a similar microphone as what's in one of the infected systems, then it's obviously not ultra sonic audio networking taking place.

It would be trivial to buy a fresh flash drive, mount it on an infected system, then insert it into an uninfected system and observe results.

It seems like a bizarre amount of time and really sloppy isolation procedure to realize after multiple years that using the same usb drive as had been used on an infected machine also seemed to coincide with a new machine becoming infected.

I'm not saying I think it's a hoax, but some of the narrative makes things feel very skeptical... maybe there are parts which just aren't reflected here, but otherwise it feels odd that as a non security professional I can look at this and immediately identify steps *I* would have taken that seemingly weren't.

Turns out that last week the internet woke up, experienced the singularity and all our computers are now talking to each other through subspace. So it's not malware, it's the future of computing! Put in ear plugs now, because v2.0 infects humans as well.

Maybe some kind of pseudo-white-noise, chirp, or other really, really slow networking would be possible between already-infected PCs via audio, without attracting the attention of the users. Even easier, audio steganography, but that requires the PCs to be playing something anyway.

But you're not getting ultrasonics out of a laptop mic and speaker. You're not even getting ultrasonics out of professional microphones. And a good number of desktops don't have mics or speakers.

I believe you are wrong here. As other's have pointed out and corrected, you can't get infrasonics (low frequency) but you can get ultrasonics.

As a journalist for more than 17 years, I have never written a spoof story for April Fool's Day or any other holiday. I certainly had no intention of doing so with this article. It's completely coincidental that this story ran today, on Halloween.

The ninth paragraph of my article reads:

Quote:

At times as I've reported this story, its outline has struck me as the stuff of urban legend, the advanced persistent threat equivalent of a Bigfoot sighting. Indeed, Ruiu has conceded that while several fellow security experts have assisted his investigation, none has peer reviewed his process or the tentative findings that he's beginning to draw.

Here and elsewhere in the post, I have tried to make clear that many of the details of this article sounded far-fetched to me. They still do. I have also tried to be transparent that no one has independently corroborated Ruiu's findings. That said, these same details have been publicly available for more than two weeks, and a large number of Ruiu's peers find them believable.

I decided to resolve this conflict between my own skepticism and the reaction of Ruiu's fellow security researchers by reporting accurately what all of them said and making clear that so far no one has peer reviewed Ruiu's research process or findings.

I have no doubt that researchers will pore over every laptop and USB drive Ruiu makes available and independently arrive at their own conclusions. I fully intend to report whatever they find. If they find no evidence to support Ruiu's account, Ars readers will be among the first to know.

Maybe some kind of pseudo-white-noise, chirp, or other really, really slow networking would be possible between already-infected PCs via audio, without attracting the attention of the users. Even easier, audio steganography, but that requires the PCs to be playing something anyway.

But you're not getting ultrasonics out of a laptop mic and speaker. You're not even getting ultrasonics out of professional microphones. And a good number of desktops don't have mics or speakers.

Besides, you could just intercept the audio stream, capture and visualize the data.

Honestly,

Quote:

Ruiu has conceded that while several fellow security experts have assisted his investigation, none has peer reviewed his process or the tentative findings that he's beginning to draw.

Is the only thing I care about.

If a lone "security researcher" is doing this all, I really don't care. It's not quite academia, but the security community is apparently less likely to fall for this bullshit.

According to Roger Grimes over at InfoWorld, there are entire companies built around creating APTs and managing them once they infect their target (keeping them installed and collecting data). APTs are some scary stuff. Luckily, like one of the promoted comments said, they're usually only leveled at very high priority targets so that their underlying exploits aren't fixed.

I decided to resolve this conflict between my own skepticism and the reaction of Ruiu's fellow security researchers by reporting accurately what all of them said and making clear that so far no one has peer reviewed Ruiu's research process or findings.

Ars is usually less crackpot-tolerant on other topics. Why should this isolated individual be treated with less suspicion than the quantum cat energy device or bigfoot sightings?

I would suggest that Dragos Ruiu see a psychiatrist. When I've seen such tales online it's been because the poster needs help.

QFT. If dragosr is pursuing this in earnest, believes it all to be true, and Dan has reported it accurately (which I am initially doubtful of, as this article is not in line with my expectations for the quality of an Ars Technica piece)--if all that holds, then I am concerned for dragosr's welfare.

No one proposed to use a vacuum room for the laptop. Sound waves do not propagate over space. He can verify the ultrasound claims easily. IMHO, it's a publicity stunt until I see proof either in video or code.

Computers need air to cool themselves. It would probably be easier, as suggested by others, to use an oscilloscope on the speakers. It all does seem very Halloween/April 1st.

Assuming this is real, it must have taken a tremendous amount of effort to create, and all that effort is now going to waste as they (for some reason, probably accidentally) infected a security researcher. This is an entirely new attack vector; it would have been intended to be used sparingly on major targets only. Someone got fired over that huuuge mistake.

Interestingly, this exposes a seldom-discussed downside of using an Apple computer. Their product line is extremely small, which means that hardware-specific attacks and firmware attacks like BIOS rewrites are much easier to do.

True, but there aren't THAT many motherboard manufacturers/bios writers out there anyway. There's what, maybe half a dozen major ones and a few minor ones? They probably keep much of the bios code quite similar iteration to iteration. If I were some big scary intrusive government agency like the NSA I don't think that would deter me too much. I'd probably look for the most likely targets and write code for all of them...and keep iterating as I go.

So tell me again what the frequency response is for the speakers and the microphones? Mostly I've heard 20khz and 22khz. That is within audible ranges, shouldn't someone hear that?

Also, this is why I widely recommend a secondary, unwritable BIOS on board from which you can flash the main BIOS. Once you've done that, a fresh HDD, booting from a CD-ROM (should work now that it has a clean BIOS), and keep your filthy flash drives away from it.

I decided to resolve this conflict between my own skepticism and the reaction of Ruiu's fellow security researchers by reporting accurately what all of them said and making clear that so far no one has peer reviewed Ruiu's research process or findings.

Ars is usually less crackpot-tolerant on other topics. Why should this isolated individual be treated with less suspicion than the quantum cat energy device or bigfoot sightings?

I think it's a mischaracterization to refer to Ruiu as an isolated individual. He's a professional security consultant, the organizer of two highly regarded security conferences, and the founder of the Pwn2Own competition. True, no one has independently corroborated his account. But he is most definitely more than an isolated individual. Given his reputation in security circles, what he's been publicly reporting online for the past two weeks is worthy of an article that provides an accurate summary.

Without admin/root privilege on your current OS, programs in USB sticks won't be able to overwrite the BIOS. Programs, including malwares, can read/access and use BIOS interrupt calls but impossible to modify the BIOS. So does this mean the researcher, Dragos Ruiu, has root or admin powers while investigating this malware?

edit: Modern OS since Win 2000, NT, XP etc (regardless of version or type) always protects the lower memory, including the BIOS. Unless if Win8 itself has unknown holes (CVE) which will allow programs to run as root. Maybe some AV is behind this propaganda.

I think it's a mischaracterization to refer to Ruiu as an isolated individual. He's a professional security consultant, the organizer of two highly regarded security conferences, and the founder of the Pwn2Own competition. True, no one has independently corroborated his account. But he is most definitely more than an isolated individual. Given his reputation in security circles, what he's been publicly reporting online for the past two weeks is worthy of an article that provides an accurate summary.

Thanks for the clarification. I'm not any more convinced he's "found something", but I am definitely sadder than I was originally.

I've known too many persons in my life who are utterly driven by the pride/narcissism of being privy to supernatural "facts" they can't prove, but they generally started from false premises and didn't get led astray by things that in this case, I can only speculate rather inappropriately on. If that's the case, I do hope he gets the help he needs.

When I say "isolated individual", I do mean that, in that he's going at all of this alone, you stated that he has no collaborators here and no additional primary investigators.

As a journalist for more than 17 years, I have never written a spoof story for April Fool's Day or any other holiday. I certainly had no intention of doing so with this article. It's completely coincidental that this story ran today, on Halloween.

Okay, so I apparently lose my bet above. ;-)

It looks utterly bizarre, however, that there should not have been any serious attempts of re-engineering the alleged malware for a whole three years by now. That just doesn't compute for me. This would have been my immediate impulse in his reported situation – and I'm not even a security consultant but "just" a developer.

This seems to come down to the entire story being based on Ruiu's claims and reputation, with no further investigation seemingly done by him or by anybody else.

Either Dragos Ruiu doesn't remotely have the capabilities he should have as a presumably seasoned security expert, or he is simply seeing and hearing things – which has happened to people before. Or a combination of both. This might be pointing into a personally disturbing direction more than anything.

Particularly the "air gapping" claims look seriously fishy as things stand; Somebody needs to seriously look into this, be it to Dragan Ruiu's personal benefit if it's only happening in his head, or to all of ours if he actually stumbled on something real (which would still raise the question why he didn't investigate it in earnest).

Given the bizarre security news in recent months, the range of things which could be ruled out right away has shrunk a lot, but the rules of physics and the known properties of existing technology still exist and don't seem to be consistent with this story.

Since you've cast a bright spotlight on the matter already, you should probably try to get closer to the bottom of this.

I don't use Macs on any regular basis, so this thought is uncorrelated with any Apply reality.

Don't some Mac systems support Siri?

If so - I'd suggest that the "only infect machines communicate via sound, no initial infection happens that way" should not be trusted as is. "Infection via microphone" strikes me as incredibly unlikely, but if the machine is, by design, running an infrastructure that listens to the current environs and then goes off and does stuff based on what it hears, you're already well on the road to the possibility of audio exploits for Siri vulnerabilities.

Maybe it's not really a Mac - but instead is a re-purposed core from a binary load lifter.

Even if the machine being repaired is tethered to the Internet via ultrasound, would the mothership really have the bandwidth to "telnet in" and make repairs?

Standard AC97 audio supports a 96 kHz sample rate, so 48 kHz bandwidth, at 16-20 bits/sample. If your speakers and microphone support it, that leaves you about 30 kHz of frequency above most humans' hearing range (especially adults'). Shannon says you can send B log2(1+S/N) bits/second, so depending on the signal/noise ratio of the audio path from the speaker of one machine to the microphone of the other machine, you can fit a moderately decent data rate and still only annoy dogs and small children. (That's going to depend on the equipment, proximity, ambient noise, and also on how long the two modems are going to want to spend syncing up with each other and how much code space the Bad Guys want to spend on it.)

As several people have said, that's not a path for an infected machine to reach an uninfected one (if you can get the target machine to run your secret modem, it's already toast), but it's a potential path for infected machines to keep in touch to keep their malware updated. The Bad Guys can't necessarily use it in a room full of infected machines (unless they want to run CSMA/CD or polling protocols over the audio channel), but they can use it to reach some machines if they can't get there by other networks.

I don't use Macs on any regular basis, so this thought is uncorrelated with any Apply reality.

Don't some Mac systems support Siri?

If so - I'd suggest that the "only infect machines communicate via sound, no initial infection happens that way" should not be trusted as is. "Infection via microphone" strikes me as incredibly unlikely, but if the machine is, by design, running an infrastructure that listens to the current environs and then goes off and does stuff based on what it hears, you're already well on the road to the possibility of audio exploits for Siri vulnerabilities.

Macs don't have Siri, but there is a dictation feature in Mountain Lion. It must be started explicitly by the user, however, so that doesn't provide any plausible attack surface to a cold attack.

I'm calling shenanigans on this one. That's some incredibly complex code to write and operate within BIOS. What is a typical BIOS memory capacity? 1-2MB? Keep in mind its a functional system (to some degree) afterwards so some of that 1-2MB is being used for actual traditional BIOS activity.

The value level codecs most manufs are willing to license probably top out at 16/48, not 24/96. Granted, I haven't really done much of a low end mobo comparison recently, but I see their availability at Realtek's site.

I might add another point: It is actually not entirely impossible that Ruiu was/is in fact actively targeted by a criminal or governmental manipulation attack, potentially including physical break-ins to his house and addition or removal of manipulated hardware and leaving him with inscrutable artefacts – given what we've learned this is certainly not beyond certain organisations' capabilities for a specifically targeted operation, even possibly for the purpose of discrediting him that way.

But even then I would expect more diligence and more contextually sensible analysis from him.

I might add another point: It is actually not entirely impossible that Ruiu was/is in fact actively targeted by a criminal or governmental manipulation attack, potentially including physical break-ins to his house and addition or removal of manipulated hardware and leaving him with inscrutable artefacts – given what we've learned this is certainly not beyond certain organisations' capabilities for a specifically targeted operation, even possibly for the purpose of discrediting him that way.

But even then I would expect more diligence and more contextually sensible analysis from him.

Really, and that's the problem. Much of the statements presented are plausible. All of them, as stated by the one individual, give an unpleasant feeling.

It's a feeling I reach daily when delving deep into software and service problems, but one I can thankfully bounce off my coworkers with a quick sanity check. Working in a vacuum is problematic, taking on something of this complexity by yourself (real or not) could put you through the rabbit hole into extreme paranoia.

Turns out that last week the internet woke up, experienced the singularity and all our computers are now talking to each other through subspace. So it's not malware, it's the future of computing! Put in ear plugs now, because v2.0 infects humans as well.

I thought we were already v3.0 humans? Or is that some of the unassailable logic of Ray Kurzweil and his human/machine hybrids racing toward us in 2045?

...The claim is that infected machines whisper to one another using ultrasound. Somehow this fixes bits of the malware as it is being attacked.

Even if the machine being repaired is tethered to the Internet via ultrasound, would the mothership really have the bandwidth to "telnet in" and make repairs?

I'll assume that only a minority of the readers, here, vividly remember the volume of data that was swapped back and forth in the 1970's and 1980's using sound-based telnet modems. Sometimes the data got "online" via small mike-and-speaker devices that could be slipped over the earpiece and mouthpiece of any standard-design landline phone.

Point being: when it involves hardware-level coding, an amazing amount of useful info can be compressed into surprisingly few bytes and it can be transferred through media like air, water and A/C lines.

Compared to phone modems, multiplexed high-frequency sound can move a surprising amount of data, and we can assume that malware using it includes some robust error-correction routines to retransmit or recover any data that's lost, interrupted or obscured due to background noise or interrupted transmissions.

As opposed to most of the comments here, I don't see why this shouldn't be possible. We've seen so many obscure vectors of attacks in the labs (near to undetectable malware hiding in controllers, injecting from PCI-boards into the kernel, sonic networking, etc, etc).Given the potential of a real working kit both for governmental and a bit more obscure clients, it wouldn't take wonder, if anyone out of 7 billions earthly residents would have made an attempt on putting these things together.

Edit: On the feasibility of sonic networking in a real world room: No one said that this has to be ultra-fast. If you're using 32 bit or even 128 bit to encode a single bit, you get plenty room for error detection and correction. The limit to adding redundancy is only set by your time-scales, and if you've plenty of time to just transfer some hundred of bytes ...